Tamas Rudnai wrote:
> I have seen Dumitru Codreanu's presentation at the HITB 2010 in Amsterdam=
,
> however, I can't find the PDF of his presentation right now.
> He had some numbers what could he achieved on Graphics card and FPGA card=
s
> to sign messages (brute-forcing the MD5 signatures until it looks like it
> was signed by the originator). As far as I remember he said he was able t=
o
> produce couple of mails per hour, which does not seem to be a big number,
> but then the malicious e-mail could be sent to as many targets as you
> wanted to, so you could lure your victim to click on links and/or run the
> executable attached to the e-mail. Also he only used a single card, where=
as
> if you have the fund you could use several in parallel to increase speed.
> That was in 2010, not sure how far he went on this with the hardware boar=
ds
> and knowledge.
>  =20
If someone publically proved they had a practical full preimage attack=20
against md5 I think it would be very big news very quickly. The fact=20
that searching for md5 preimage doesn't turn up anything about one makes=20
me think that it's far more likely you misinterpreted the talk than that=20
he had a full preimage attack on md5.

My understanding with md5 is that various increasingly sophisticated=20
collision attacks have been found such that any application of md5 where=20
the attacker has some but not complete control over the content of the=20
"good" version of the data to be hashed must be considered vulnerable.=20
For example someone managed to construct a fake CA intermediate=20
certificate through a collision based process (though CAs have since=20
tightened up their policies to make this much harder). However=20
applications where the attacker has no control at all over the "good"=20
version of the data to be hashed are still probablly ok for now.
> http://conference.hitb.org/hitbsecconf2010ams/index.html%3Fpage_id=3D24.h=
tml
>  =20
The talk listed there seems to be about cracking "hashcash" and=20
"postmark" which only requires a way to more efficiently generate=20
partial preimages not a way to generate full preimages.

> Some other interesting links I have just found:
>
> http://research.microsoft.com/pubs/64588/hash_survey.pdf
>  =20
Interesting background though it is a bit older now.
> http://www.youtube.com/watch?v=3DzEwWvVP_RU0
> http://www.securitytube.net/video/419
> http://www.md5decrypter.co.uk
>  =20
Those are all password crackers. Password crackers rely not on flaws in=20
the hash function but on the fact that most people use "weak" passwords.

Password cracking has got increasingly sophisticated, in particular=20
hackers have obtained massive real password databases. By analysing the=20
passwords people are really using and mangling and combining them in=20
various ways they can make ever better guesses at the passwords hiding=20
behind the unknown hashes in the leaked databases and they are getting=20
ever faster at processing those guesses against hashes in the "to be=20
cracked" database. Salting and deliberately slow hash functions can help=20
but IMO unless you have a policy of requiring long randomly generated=20
passwords then you pretty much have to assume that a password hash=20
database compromise means a compromise of a large proportion of the=20
passwords held within.

Estimating the strength of a user supplied password is virtually=20
impossible because you don't know what information the user used to=20
create it and whether that information will or will not be available to=20
an attacker now or in the future.


--=20
http://www.piclist.com/techref/piclist PIC/SX FAQ & list archive
View/change your membership options at
http://mailman.mit.edu/mailman/listinfo/piclist
.